How is CVE-2026-46444 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Flowise API service via HTTP. Authentication (required): Any valid low-privilege API key is sufficient; no admin or elevated account is needed, but some credential is required. Victim interaction (not-required): The attacker can send requests directly to the API with no user interaction needed. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions or special environmental factors are required to trigger the missing permission checks.

What is the impact of CVE-2026-46444?

Reads all vector store data associated with OpenAI Assistants, including embedded document chunks and associated metadata. Creates or overwrites vector store entries, injecting arbitrary content into the LLM's retrieval context. Deletes existing vector store data, permanently removing knowledge base content that the LLM depends on. Disrupts the availability of any Flowise flow that relies on the affected vector store by corrupting or emptying its contents.

Back to search

HIGHCVE-2026-46444Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-46444: Flowise: Vector Store No Permission Checks

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass (missing permission checks) in Flowise, the drag-and-drop LLM flow builder. The /api/v1/openai-assistants-vector-store endpoint is reachable over the network with only a low-privilege API key and performs no permission checks on any CRUD operation, meaning any authenticated API key holder can read, create, update, or delete vector store data regardless of their intended access level. Successful exploitation gives an attacker full read, write, and delete control over OpenAI Assistants Vector Store contents. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-46444 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Flowise images, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published upstream for CVE-2026-46444 at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FlowiseAI releases a remediated version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Flowise API service via HTTP.
AuthenticationRequired
Any valid low-privilege API key is sufficient; no admin or elevated account is needed, but some credential is required.
Victim interactionNot required
The attacker can send requests directly to the API with no user interaction needed.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions or special environmental factors are required to trigger the missing permission checks.

Blast Radius

Reads all vector store data associated with OpenAI Assistants, including embedded document chunks and associated metadata.
Creates or overwrites vector store entries, injecting arbitrary content into the LLM's retrieval context.
Deletes existing vector store data, permanently removing knowledge base content that the LLM depends on.
Disrupts the availability of any Flowise flow that relies on the affected vector store by corrupting or emptying its contents.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-46444 is active across all customer environments running Flowise images. Because no upstream fix version exists yet, HarborGuard monitors the FlowiseAI advisory on every ingest cycle and will trigger a patched-image rebuild automatically once version 3.1.2 or later is published. In the interim, compensating controls available through HarborGuard include network-policy isolation to restrict inbound access to the Flowise API surface, and egress filtering to limit the blast radius if a container is compromised. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be available within minutes of the upstream patch landing. Where compliance policy permits, HarborGuard can also flag any image running an affected Flowise version as policy-blocked in the CI pipeline to prevent promotion to production.

See how HarborGuard automates this

Affected packages

FlowiseAI / Flowise
< 3.1.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified